Image: Asha Barbasschow/ZDNet
The second tranche of cyber laws in Australia has passed through both houses of parliament, meaning entities running “systems of national interest” will soon be subject to stricter cybersecurity obligations that could force them to install third-party software.
Home Secretary Karen Andrews said the laws would increase the security and resilience of Australia’s critical infrastructure.
“During the pandemic, Australia’s critical infrastructure sectors are regularly targeted by malicious cyber actors seeking to exploit victims for profit, with utter disregard for the community and the essential services we all rely on,” Andrews said.
“The bill builds on the Morrison government’s strong support for our national security services, announced in Tuesday’s federal budget, to make Australia stronger and keep Australians safe in an increasingly uncertain world.
Australia’s parliamentary body charged with reviewing cyber laws last week backed these laws, saying the laws would create a standardized critical infrastructure framework to make it easier for government and industry to deal with precautionary cyber-attacks.
The laws, packaged in the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, were initially intended to be part of the first tranche of cyber laws for critical infrastructure entities enacted last year. However, they were eventually left out of the first set of laws, as the federal government wanted further consultations with industry on how they could design a regulatory framework for critical infrastructure together.
In addition to stricter cybersecurity obligations, the critical infrastructure reforms will also require critical infrastructure entities to maintain a risk management program to identify threats to critical infrastructure assets and the likelihood of their occurrence. In addition, entities will be required to submit an annual report on the risk management program and on any hazards that had a significant impact on critical infrastructure assets.
Secretary of the Interior Mike Pezzullo previously said the cost of executing the risk management program would average a one-time payment of AU$9.7 million to set up the program and an annual running cost of AU$3.7 million.
In terms of where critical infrastructure reforms sit in the big picture, the reforms and ransomware action plan will serve as the federal government’s primary regulatory effort to bolster Australia’s cybersecurity position. It is separate from the coalition’s newly proposed AU$9.9 billion cybersecurity program announced in the federal budget, which is primarily aimed at providing more resources to the Australian Signals Directorate.